If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

I take the view that a lot of password cracking tools are quite limited in the size of the password they will handle.

There is also the question of how long someone will continue to attempt a crack.

I generally recommend that newbies (or anyone else for that matter) use a "core password" and just expand it with some easily remembered characters something like this:

€12345"core password"ABCDE$

If you cannot do someone any good: don't do them any harm....
As long as you did this to one of these, the least of my little ones............you did it unto Me.
What profiteth a man if he gains the entire World at the expense of his immortal soul?

It is funny that you should mention that, as 90% of the installations I have worked on require that every 90 days all passwords will be changed. And it's tough enough to get that 'core' password to flow from your fingertips so everyone just adds a bit to the front and back ....

Very useful technique

But, there are some 'evil' systems that 'know' what you're doing and state that this password is too similar to the old one. Grr.

i do not understand the concern over password complexity. according to my math if i extract my password randomly from the alphanumeric set plus the shifted numerics i will only need a password four entities long to satisfy the ansi x9.9 standard which states that the odds of guessing an authentication response must be no greater than one in 1'000'000.

given the normal three attempts before lockout policy featured by security minded organizations this number is divided by three for odds of one in 1'492'485. to reset the lookout the user must enter the correct authentication response twice consecutively. the first time will error as normal and quietly unlock the account. the user will then be notified of the login failures and can respond appropriately.

considering that password hashes are plaintext equivalent the cracking argument is not valid either never mind the fact that very privileged access must already be acquired to access the hashes in the first place.

passwords face five discrete threats.[list=1][*]guessing (resolved by a four entity password as shown above.)[*]brute force (resolved by limiting the attempts.)[*]perception management (still an unresolved issue not effected by password complexity.)[*]recording (resolved by ensuring system and channel integrity.)[*]emanations (resolved by ensuring environmental integrity.)[/list=1]mandating long or complex authentication responses does little to increase trustworthiness while increasing the occurrence of users handling passwords inappropriately and decreasing administrative vigilance to invalid authentication attempts.

Three shots and you're out, is different from a hash download and all the time in the World?

If you cannot do someone any good: don't do them any harm....
As long as you did this to one of these, the least of my little ones............you did it unto Me.
What profiteth a man if he gains the entire World at the expense of his immortal soul?